From 49643313d79e03df6fb4fe26d3e3281c413e3655 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Thu, 30 Jun 2022 16:59:39 +0000 Subject: [PATCH] Redirect all Mailman sites from HTTP to HTTPS For the past six months, all our mailing list sites have supported HTTPS without incident. The main downside to the current implementation is that Mailman itself writes some URLs with an explicit scheme, causing people submitting forms from pages served over HTTPS to get warnings because the forms are posting to plain HTTP URLs for the same site. In order to correct this, we need to tell Mailman to put https:// instead of http:// into these, but doing so essentially eliminates any reason for us to continue serving content over plain HTTP anyway. Configure the default URL scheme of all our Mailman sites to use HTTPS now, and set up permanent redirects from HTTP to HTTPS, per the examples in the project's documentation: https://wiki.list.org/DOC/4.27%20Securing%20Mailman%27s%20web%20GUI%20by%20using%20Secure%20HTTP-SSL%20%28HTTPS%29 Also update our testinfra functions to validate the blanket redirects and perform all other testing over HTTPS. Once this merges, the fix_url script will need to be run manually against all lists for the current sites, as noted in that document. Change-Id: I366bc915685fb47ef723f29d16211a2550e02e34 --- .../templates/mailman_multihost.vhost.j2 | 56 +----------- .../mailman-site/templates/mm_site_cfg.py.j2 | 2 +- .../roles/mailman/templates/mailman.vhost.j2 | 51 +---------- .../roles/mailman/templates/mm_cfg.py.j2 | 2 +- testinfra/test_lists_k_i.py | 12 ++- testinfra/test_lists_o_o.py | 91 ++++++++++--------- 6 files changed, 58 insertions(+), 156 deletions(-) diff --git a/playbooks/roles/mailman-site/templates/mailman_multihost.vhost.j2 b/playbooks/roles/mailman-site/templates/mailman_multihost.vhost.j2 index 60e2dd173f..2aef336120 100644 --- a/playbooks/roles/mailman-site/templates/mailman_multihost.vhost.j2 +++ b/playbooks/roles/mailman-site/templates/mailman_multihost.vhost.j2 @@ -9,61 +9,7 @@ CustomLog ${APACHE_LOG_DIR}/{{ mailman_site.listdomain }}-access.log combined - DocumentRoot /var/www - -RewriteEngine on -# TODO(fungi): convert this vhost into a blanket redirect to HTTPS when ready -RewriteRule ^/$ /cgi-bin/mailman/listinfo [R] -RewriteCond %{HTTP_HOST} ^lists\.openstack\.org$ [nocase] -RewriteRule /(cgi-bin/mailman/listinfo|pipermail)/(community|foundation|foundation-board|foundation-board-confidential|goldmembers|marketing|staff|summitsponsors)(/.*|$) %{REQUEST_SCHEME}://lists.openinfra.dev/$1/$2$3 [last,redirect=permanent] -RewriteCond %{HTTP_HOST} ^lists\.openstack\.org$ [nocase] -RewriteRule /(cgi-bin/mailman/listinfo|pipermail)/(edge-computing)(/.*|$) %{REQUEST_SCHEME}://lists.opendev.org/$1/$2$3 [last,redirect=permanent] - -# We can find mailman here: -ScriptAlias /cgi-bin/mailman/ /usr/lib/cgi-bin/mailman/ -# And the public archives: -Alias /pipermail/ /srv/mailman/{{ mailman_site.name }}/archives/public/ -# Logos: -Alias /images/mailman/ /usr/share/images/mailman/ - -# Use this if you don't want the "cgi-bin" component in your URL: -# In case you want to access mailman through a shorter URL you should enable -# this: -#ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ -# In this case you need to set the DEFAULT_URL_PATTERN in -# /etc/mailman/mm_cfg.py to http://%s/mailman/ for the cookie -# authentication code to work. Note that you need to change the base -# URL for all the already-created lists as well. - - - AllowOverride None - Options ExecCGI - AddHandler cgi-script .cgi - SetEnv HOST {{ mailman_site.listdomain }} - Order allow,deny - Allow from all - = 2.4> - Require all granted - - - - Options FollowSymlinks - AllowOverride None - Order allow,deny - Allow from all - = 2.4> - Require all granted - - - - AllowOverride None - Order allow,deny - Allow from all - = 2.4> - Require all granted - - - + RedirectPermanent / https://{{ mailman_site.listdomain }}/ diff --git a/playbooks/roles/mailman-site/templates/mm_site_cfg.py.j2 b/playbooks/roles/mailman-site/templates/mm_site_cfg.py.j2 index 74cdb8dc7b..3f00829d3e 100644 --- a/playbooks/roles/mailman-site/templates/mm_site_cfg.py.j2 +++ b/playbooks/roles/mailman-site/templates/mm_site_cfg.py.j2 @@ -57,7 +57,7 @@ MAILMAN_SITE_LIST = 'mailman' #------------------------------------------------------------- # If you change these, you have to configure your http server # accordingly (Alias and ScriptAlias directives in most httpds) -DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/' +DEFAULT_URL_PATTERN = 'https://%s/cgi-bin/mailman/' PRIVATE_ARCHIVE_URL = '/cgi-bin/mailman/private' IMAGE_LOGOS = '/images/mailman/' diff --git a/playbooks/roles/mailman/templates/mailman.vhost.j2 b/playbooks/roles/mailman/templates/mailman.vhost.j2 index 5ef04c0328..5de22fa031 100644 --- a/playbooks/roles/mailman/templates/mailman.vhost.j2 +++ b/playbooks/roles/mailman/templates/mailman.vhost.j2 @@ -9,56 +9,7 @@ CustomLog ${APACHE_LOG_DIR}/{{ mailman_listdomain }}-access.log combined - DocumentRoot /var/www - -RewriteEngine on -# TODO(fungi): convert this vhost into a blanket redirect to HTTPS when ready -RewriteRule ^/$ /cgi-bin/mailman/listinfo [R] - -# We can find mailman here: -ScriptAlias /cgi-bin/mailman/ /usr/lib/cgi-bin/mailman/ -# And the public archives: -Alias /pipermail/ /var/lib/mailman/archives/public/ -# Logos: -Alias /images/mailman/ /usr/share/images/mailman/ - -# Use this if you don't want the "cgi-bin" component in your URL: -# In case you want to access mailman through a shorter URL you should enable -# this: -#ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ -# In this case you need to set the DEFAULT_URL_PATTERN in -# /etc/mailman/mm_cfg.py to http://%s/mailman/ for the cookie -# authentication code to work. Note that you need to change the base -# URL for all the already-created lists as well. - - - AllowOverride None - Options ExecCGI - AddHandler cgi-script .cgi - Order allow,deny - Allow from all - = 2.4> - Require all granted - - - - Options FollowSymlinks - AllowOverride None - Order allow,deny - Allow from all - = 2.4> - Require all granted - - - - AllowOverride None - Order allow,deny - Allow from all - = 2.4> - Require all granted - - - + RedirectPermanent / https://{{ mailman_listdomain }}/ diff --git a/playbooks/roles/mailman/templates/mm_cfg.py.j2 b/playbooks/roles/mailman/templates/mm_cfg.py.j2 index 1a8516109f..c165432728 100644 --- a/playbooks/roles/mailman/templates/mm_cfg.py.j2 +++ b/playbooks/roles/mailman/templates/mm_cfg.py.j2 @@ -57,7 +57,7 @@ MAILMAN_SITE_LIST = 'mailman' #------------------------------------------------------------- # If you change these, you have to configure your http server # accordingly (Alias and ScriptAlias directives in most httpds) -DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/' +DEFAULT_URL_PATTERN = 'https://%s/cgi-bin/mailman/' PRIVATE_ARCHIVE_URL = '/cgi-bin/mailman/private' IMAGE_LOGOS = '/images/mailman/' diff --git a/testinfra/test_lists_k_i.py b/testinfra/test_lists_k_i.py index a56b76d3cd..8768c9ea3a 100644 --- a/testinfra/test_lists_k_i.py +++ b/testinfra/test_lists_k_i.py @@ -17,11 +17,15 @@ def test_mm_list_is_present(host): assert 'kata-dev' in cmd.stdout def test_mm_list_site(host): - cmd = host.run('curl ' - '--resolve lists.katacontainers.io:80:127.0.0.1 ' - 'http://lists.katacontainers.io/cgi-bin/mailman/listinfo') - assert 'lists.katacontainers.io Mailing Lists' in cmd.stdout cmd = host.run('curl --insecure ' '--resolve lists.katacontainers.io:443:127.0.0.1 ' 'https://lists.katacontainers.io/cgi-bin/mailman/listinfo') assert 'lists.katacontainers.io Mailing Lists' in cmd.stdout + +def test_mm_list_site_redirect_http(host): + cmd = host.run('curl ' + '--resolve lists.katacontainers.io:80:127.0.0.1 ' + 'http://lists.katacontainers.io/cgi-bin/mailman/listinfo') + assert ('The document has moved here') in cmd.stdout diff --git a/testinfra/test_lists_o_o.py b/testinfra/test_lists_o_o.py index df2f6ebe4a..b7a8ccee42 100644 --- a/testinfra/test_lists_o_o.py +++ b/testinfra/test_lists_o_o.py @@ -32,82 +32,83 @@ def test_mm_list_is_present(host): assert 'zuul-discuss' in cmd.stdout def test_mm_list_site(host): - cmd = host.run('curl ' - '--resolve lists.airshipit.org:80:127.0.0.1 ' - 'http://lists.airshipit.org/cgi-bin/mailman/listinfo') - assert 'lists.airshipit.org Mailing Lists' in cmd.stdout cmd = host.run('curl --insecure ' '--resolve lists.airshipit.org:443:127.0.0.1 ' 'https://lists.airshipit.org/cgi-bin/mailman/listinfo') assert 'lists.airshipit.org Mailing Lists' in cmd.stdout - cmd = host.run('curl ' - '--resolve lists.opendev.org:80:127.0.0.1 ' - 'http://lists.opendev.org/cgi-bin/mailman/listinfo') - assert 'lists.opendev.org Mailing Lists' in cmd.stdout cmd = host.run('curl --insecure ' '--resolve lists.opendev.org:443:127.0.0.1 ' 'https://lists.opendev.org/cgi-bin/mailman/listinfo') assert 'lists.opendev.org Mailing Lists' in cmd.stdout - cmd = host.run('curl ' - '--resolve lists.openinfra.dev:80:127.0.0.1 ' - 'http://lists.openinfra.dev/cgi-bin/mailman/listinfo') - assert 'lists.openinfra.dev Mailing Lists' in cmd.stdout cmd = host.run('curl --insecure ' '--resolve lists.openinfra.dev:443:127.0.0.1 ' 'https://lists.openinfra.dev/cgi-bin/mailman/listinfo') assert 'lists.openinfra.dev Mailing Lists' in cmd.stdout - cmd = host.run('curl ' - '--resolve lists.openstack.org:80:127.0.0.1 ' - 'http://lists.openstack.org/cgi-bin/mailman/listinfo') - assert 'lists.openstack.org Mailing Lists' in cmd.stdout cmd = host.run('curl --insecure ' '--resolve lists.openstack.org:443:127.0.0.1 ' 'https://lists.openstack.org/cgi-bin/mailman/listinfo') assert 'lists.openstack.org Mailing Lists' in cmd.stdout - cmd = host.run('curl ' - '--resolve lists.starlingx.io:80:127.0.0.1 ' - 'http://lists.starlingx.io/cgi-bin/mailman/listinfo') - assert 'lists.starlingx.io Mailing Lists' in cmd.stdout cmd = host.run('curl --insecure ' '--resolve lists.starlingx.io:443:127.0.0.1 ' 'https://lists.starlingx.io/cgi-bin/mailman/listinfo') assert 'lists.starlingx.io Mailing Lists' in cmd.stdout - cmd = host.run('curl ' - '--resolve lists.zuul-ci.org:80:127.0.0.1 ' - 'http://lists.zuul-ci.org/cgi-bin/mailman/listinfo') - assert 'lists.zuul-ci.org Mailing Lists' in cmd.stdout cmd = host.run('curl --insecure ' '--resolve lists.zuul-ci.org:443:127.0.0.1 ' 'https://lists.zuul-ci.org/cgi-bin/mailman/listinfo') assert 'lists.zuul-ci.org Mailing Lists' in cmd.stdout -def test_mm_list_site_redirect_listinfo_http(host): +def test_mm_list_site_redirect_http(host): + cmd = host.run('curl ' + '--resolve lists.airshipit.org:80:127.0.0.1 ' + 'http://lists.airshipit.org/cgi-bin/mailman/listinfo') + assert ('The document has moved here') in cmd.stdout + cmd = host.run('curl ' + '--resolve lists.opendev.org:80:127.0.0.1 ' + 'http://lists.opendev.org/cgi-bin/mailman/listinfo') + assert ('The document has moved here') in cmd.stdout + cmd = host.run('curl ' + '--resolve lists.openinfra.dev:80:127.0.0.1 ' + 'http://lists.openinfra.dev/cgi-bin/mailman/listinfo') + assert ('The document has moved here') in cmd.stdout cmd = host.run('curl ' '--resolve lists.openstack.org:80:127.0.0.1 ' - 'http://lists.openstack.org/cgi-bin/mailman/listinfo/staff') + 'http://lists.openstack.org/cgi-bin/mailman/listinfo') assert ('The document has moved here') in cmd.stdout - cmd = host.run('curl --location ' - '--resolve lists.openinfra.dev:80:127.0.0.1 ' - '--resolve lists.openstack.org:80:127.0.0.1 ' - 'http://lists.openstack.org/cgi-bin/mailman/listinfo/staff') + cmd = host.run('curl ' + '--resolve lists.starlingx.io:80:127.0.0.1 ' + 'http://lists.starlingx.io/cgi-bin/mailman/listinfo') + assert ('The document has moved here') in cmd.stdout + cmd = host.run('curl ' + '--resolve lists.zuul-ci.org:80:127.0.0.1 ' + 'http://lists.zuul-ci.org/cgi-bin/mailman/listinfo') + assert ('The document has moved here') in cmd.stdout + +def test_mm_list_site_redirect_listinfo(host): + cmd = host.run('curl --insecure ' + '--resolve lists.openstack.org:443:127.0.0.1 ' + 'https://lists.openstack.org/cgi-bin/mailman/listinfo/staff') + assert ('The document has moved here') in cmd.stdout + cmd = host.run('curl --insecure --location ' + '--resolve lists.openinfra.dev:443:127.0.0.1 ' + '--resolve lists.openstack.org:443:127.0.0.1 ' + 'https://lists.openstack.org/cgi-bin/mailman/listinfo/staff') assert 'Staff Info Page' in cmd.stdout -def test_mm_list_site_redirect_archives_http(host): - cmd = host.run('curl ' - '--resolve lists.openstack.org:80:127.0.0.1 ' - 'http://lists.openstack.org/pipermail/staff/') - assert ('The document has moved here') in cmd.stdout - cmd = host.run('curl --location ' - '--resolve lists.openinfra.dev:80:127.0.0.1 ' - '--resolve lists.openstack.org:80:127.0.0.1 ' - 'http://lists.openstack.org/pipermail/staff/') - assert '

The Staff Archives

' in cmd.stdout - -def test_mm_list_site_redirect_archives_https(host): +def test_mm_list_site_redirect_archives(host): cmd = host.run('curl --insecure ' '--resolve lists.openstack.org:443:127.0.0.1 ' 'https://lists.openstack.org/pipermail/staff/')